Skip to content

fix(transaction): prevent concurrent map access in monitor#5309

Open
mfw78 wants to merge 2 commits intoethersphere:masterfrom
mfw78:fix/transaction-monitor-race-condition
Open

fix(transaction): prevent concurrent map access in monitor#5309
mfw78 wants to merge 2 commits intoethersphere:masterfrom
mfw78:fix/transaction-monitor-race-condition

Conversation

@mfw78
Copy link
Collaborator

@mfw78 mfw78 commented Dec 26, 2025

Checklist

  • I have read the coding guide.
  • My change requires a documentation update, and I have done it.
  • I have added tests to cover my changes.
  • I have filled out the description and linked the related issues.

Description

Fixes a race condition in pkg/transaction/monitor.go that causes fatal error: concurrent map iteration and map write panics.

The checkPending() function was iterating over watchesByNonce without holding the lock, while WatchTransaction() could concurrently modify the map. Classic Go map concurrency footgun. 🔫

Solution: Snapshot-based approach that minimizes lock contention:

  1. Phase 1 (lock held): Snapshot transaction data needed for RPC calls
  2. Phase 2 (lock released): Make slow RPC calls (TransactionReceipt, NonceAt)
  3. Phase 3 (lock held): Notify subscribers and cleanup

This avoids blocking WatchTransaction() callers during potentially slow (100-500ms) RPC operations.

Open API Spec Version Changes (if applicable)

N/A

Motivation and Context

Discovered while running Bee nodes in a Kurtosis test environment. The panic occurred during chequebook deployment when transaction monitoring was active.

fatal error: concurrent map iteration and map write

goroutine 182 [running]:
github.com/ethersphere/bee/v2/pkg/transaction.(*transactionMonitor).checkPending(0x4000ab8d00, 0xd46)
        /app/pkg/transaction/monitor.go:198 +0x334

Related Issue (Optional)

N/A

Screenshots (if appropriate):

N/A

@mfw78 mfw78 force-pushed the fix/transaction-monitor-race-condition branch from 52325e9 to 6396e4b Compare December 26, 2025 16:34
@mfw78 mfw78 force-pushed the fix/transaction-monitor-race-condition branch from 6396e4b to a17e3a9 Compare December 26, 2025 16:37
gacevicljubisa
gacevicljubisa reviewed Jan 2, 2026
View reviewed changes
pkg/transaction/monitor.go
if receipt != nil {
// if we have a receipt we have a confirmation
confirmedNonces[nonceGroup] = receipt
confirmedNonces[nonce] = receipt
Copy link
Member

@gacevicljubisa gacevicljubisa Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could stop checking other txHashes here, for this nonce, because we found the receipt?

pkg/transaction/monitor.go
continue
}

oldNonce, err := tm.backend.NonceAt(tm.ctx, tm.sender, new(big.Int).SetUint64(block-tm.cancellationDepth))
Copy link
Member

@gacevicljubisa gacevicljubisa Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not see the reason to call tm.backend.NonceAt multiple times in the loop, this should be lazy loaded (we should only fetch oldNonce once and only if there are unconfirmed nonces to check). Maybe we can use this PR to improve this?

@mfw78 mfw78 requested a review from gacevicljubisa January 15, 2026 16:22
@acud acud added this to the v2.8.0 milestone Feb 4, 2026
acud
acud reviewed Feb 19, 2026
View reviewed changes
pkg/transaction/monitor.go
// if we have a receipt we have a confirmation
confirmedNonces[nonceGroup] = receipt
confirmedNonces[nonce] = receipt
break // found receipt for this nonce, no need to check other tx hashes
Copy link
Contributor

@acud acud Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mfw78 we discussed this change and figured that this change, being orthogonal to the original PR should be reverted. Ideally let's just stick to the concurrent map access related changes. Thanks!

@acud
Copy link
Contributor

acud commented Feb 19, 2026

I would also suggest that the other changes should be reverted. This component is critical and I'm not sure we have unit test coverage to see that these extra changes are inconsequential. I'd suggest to stick to the original changeset.

@mfw78
Copy link
Collaborator Author

mfw78 commented Feb 19, 2026

I would also suggest that the other changes should be reverted. This component is critical and I'm not sure we have unit test coverage to see that these extra changes are inconsequential. I'd suggest to stick to the original changeset.

Can you kindly confirm if by this you mean to just simply revert to a17e3a9?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@acud acud acud left review comments

@gacevicljubisa gacevicljubisa gacevicljubisa approved these changes

@akrem-chabchoub akrem-chabchoub akrem-chabchoub approved these changes

@janos janos Awaiting requested review from janos

@martinconic martinconic Awaiting requested review from martinconic

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2026

Development

Successfully merging this pull request may close these issues.

4 participants

@mfw78 @acud @gacevicljubisa @akrem-chabchoub

Comments